b"           OFFICE OF\n    THE INSPECTOR GENERAL\n\nSOCIAL SECURITY ADMINISTRATION\n\n  FOLLOW-UP: THE SOCIAL SECURITY\nADMINISTRATION'S IMPLEMENTATION OF\nPROGRAM OPERATIONS MANUAL SYSTEM\n     SECURITY REQUIREMENTS FOR\n DISABILITY DETERMINATION SERVICES\n\n      May 2009   A-14-08-18076\n\n\n\n\nAUDIT REPORT\n\x0c                                    Mission\nBy conducting independent and objective audits, evaluations and investigations,\nwe inspire public confidence in the integrity and security of SSA\xe2\x80\x99s programs and\noperations and protect them against fraud, waste and abuse. We provide timely,\nuseful and reliable information and advice to Administration officials, Congress\nand the public.\n\n                                   Authority\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n  \xef\x81\xad Conduct and supervise independent and objective audits and\n    investigations relating to agency programs and operations.\n  \xef\x81\xad Promote economy, effectiveness, and efficiency within the agency.\n  \xef\x81\xad Prevent and detect fraud, waste, and abuse in agency programs and\n    operations.\n  \xef\x81\xad Review and make recommendations regarding existing and proposed\n    legislation and regulations relating to agency programs and operations.\n  \xef\x81\xad Keep the agency head and the Congress fully and currently informed of\n    problems in agency programs and operations.\n\n  To ensure objectivity, the IG Act empowers the IG with:\n\n  \xef\x81\xad Independence to determine what reviews to perform.\n  \xef\x81\xad Access to all information necessary for the reviews.\n  \xef\x81\xad Authority to publish findings and recommendations based on the reviews.\n\n                                     Vision\nWe strive for continual improvement in SSA\xe2\x80\x99s programs, operations and\nmanagement by proactively seeking new ways to prevent and deter fraud, waste\nand abuse. We commit to integrity and excellence by supporting an environment\nthat provides a valuable public service while encouraging employee development\nand retention and fostering diversity and innovation.\n\x0c                                            SOCIAL SECURITY\nMEMORANDUM\n\nDate:   May 27, 2009                                                         Refer To:\n\nTo:     The Commissioner\n\nFrom:   Inspector General\n\nSubject: Follow-up: The Social Security Administration\xe2\x80\x99s Implementation of Program Operations\n        Manual System Security Requirements for Disability Determination Services\n        (A-14-08-18076)\n\n\n        OBJECTIVE\n\n        Our objective was to determine whether the Social Security Administration (SSA)\n        implemented recommendations in the following Office of the Inspector General (OIG)\n        reports and PricewaterhouseCoopers (PwC) Management Letters.\n\n        \xef\x82\xb7     General Controls of the Alabama Disability Determination Services Claims\n              Processing System Need Improvement (A-14-02-22089)\n\n        \xef\x82\xb7     General Controls of the Washington Division of Disability Determination Services\n              Claims Processing System Need Improvement (A-14-02-22093)\n\n        \xef\x82\xb7     PwC Management Letters issued for its Fiscal Years (FY) 2001 through 2007\n              financial statement audits\n\n        We limited our review to those recommendations that requested modifying the Program\n        Operations Manual System (POMS) privacy and security procedures for disability\n        determination services (DDS).\n\n        BACKGROUND\n\n        The Disability Insurance program provides benefits to wage earners and their families in\n        the event the wage earner becomes disabled. The Supplemental Security Income\n        program was designed to help aged, blind, and/or disabled people who have little or no\n        income. SSA implements the policies governing the development of disability claims\n        under each program. Disability determinations under both programs are performed by\n        DDSs in each State or other responsible jurisdiction according to Federal regulations. 1\n\n        1\n            20 C.F.R., part 404, subpart Q, and part 416, subpart J.\n\x0cPage 2 - The Commissioner\n\n\nEach DDS determines claimants\xe2\x80\x99 disabilities and ensures there is adequate evidence to\nsupport its determinations. On behalf of SSA, DDS personnel process and store\npersonally identifiable information (PII), 2 such as names and Social Security numbers.\n\nPOMS 3 contains required and recommended privacy and security policies for DDSs.\nThose that address maintaining and safeguarding SSA\xe2\x80\x99s systems of records are\nmandatory, while those that address DDS facilities and personnel are discretionary\nprovided they do not conflict with State security directives. To ensure the information\nSSA entrusts to the DDSs is protected in accordance with Federal laws and regulations\nas well as Agency policies and procedures, it is critical for SSA to keep POMS current\nand complete and monitor the DDS' compliance with POMS.\n\nSSA issued new DDS privacy and security policies in August 2001; therefore, we\ndetermined whether SSA incorporated recommended changes to POMS from that date.\nThe OIG made recommendations in 2002 and 2003, and PwC, under the direction of\nthe OIG, made recommendations during its 2001 through 2008 annual audits. In these\naudits, PwC tested general controls at three DDSs, issuing Management Letters with\nrecommendations to improve DDS\xe2\x80\x99 general controls.\n\nWe determined the status of the recommendations made in these reports. For those\nrecommendations implemented, we performed limited compliance testing. For those\nrecommendations not implemented, we reviewed SSA's basis for non-implementation\nand re-assessed the need for implementation based on mitigating controls in POMS.\nFor additional information on our scope and methodology, see Appendix B.\n\nRESULTS OF REVIEW\n\nSSA implemented most of the recommendations 4 in two OIG reports and seven PwC\nManagement Letters that requested modifying the POMS privacy and security\nprocedures for DDSs. The following table summarizes the number of recommendations\nimplemented and unimplemented as well as the total number of recommendations\naddressed in this report.\n\n\n\n\n2\n  Office of Management and Budget (OMB) Memorandum M-07-16 defines PII as \xe2\x80\x9c...information which\ncan be used to distinguish or trace an individual's identity, such as their name, social security number,\nbiometric records, etc. alone, or when combined with other personal or identifying information which is\nlinked or linkable to a specific individual, such as date and place of birth, mother\xe2\x80\x99s maiden name, etc.\xe2\x80\x9d\n3\n  POMS, DI 39567, DDS Privacy and Security. Before October 1, 2005, the DDS privacy and security\npolicies were contained both in POMS and the DDS Security Document (DSD). On that date, however,\nthe DSD was incorporated into POMS.\n\n4\n The OIG reports and PwC Management Letters presented 37 recommendations that recommended\n44 changes to POMS. We considered each recommended change to POMS to be one recommendation.\n\x0cPage 3 - The Commissioner\n\n\n                          Recommended Changes to POMS\n                    Implemented  Unimplemented      Total\n                          32                  12                   44\n\nOf the 32 implemented recommendations, we performed limited compliance testing on\nthe 28 implemented before October 2008. 5 Although new POMS requirements were\nreleased in October 2008, we did not test the compliance of the four recommendations\naddressed in that release to allow the DDSs time to make any necessary changes.\nMost noncompliance found during testing related to DDS security plans or was minor\nand related to inadequate documentation of procedures.\n\nFor the 12 unimplemented recommendations, we reviewed SSA\xe2\x80\x99s basis for rejection\nand mitigating controls in POMS to determine which recommendations we believe the\nAgency still needs to implement. We found that SSA had compensating controls in\nplace for 11 of the unimplemented recommendations, and we consider these\nrecommendations addressed. However, the Agency should reconsider and implement\nthe remaining recommendation, which related to parking garage access controls.\n\nImplemented Recommendations\n\nSSA implemented 32 recommendations to revise POMS. These recommendations\naddressed the following security topics.\n\n\xef\x82\xb7   Physical security requirements at the perimeter and sensitive areas in DDS facilities.\n\xef\x82\xb7   Separation procedures for terminated personnel and removing sensitive\n    equipment/information.\n\xef\x82\xb7   Criminal background checks for new hires.\n\xef\x82\xb7   Limited system access and guidance on reviewing security violation reports.\n\xef\x82\xb7   The sufficiency, format and management review of the DDS security plan, including\n    expanding contingency plan procedures to ensure continuity of operations at DDS\n    facilities.\n\nIn response to the recommendations to improve DDS security policy, SSA updated the\nDSD and relevant POMS chapters numerous times between December 2001 and\nOctober 2008. While establishing policy is important, compliance with policy is equally\nimportant. As a result, we performed limited compliance testing on the\n28 recommendations implemented before October 2008. Most noncompliance issues\nwere related to DDS security plans or inadequate documentation of procedures.\n\n\n\n5\n  The remaining four recommendations were implemented in October 2008. Since these\nrecommendations were recently added to POMS, we have not tested them in the DDSs. See Appendix C\nfor details on the recommendations.\n\x0cPage 4 - The Commissioner\n\n\nAmong the implemented recommendations tested were specific requirements for\nsecurity plan content and the plans\xe2\x80\x99 annual review by DDS management. Despite these\nrequirements, two of three DDS security plans reviewed in 2008 did not comply with\nPOMS. Furthermore, in 2006 and 2007, two of three plans reviewed were missing at\nleast half the prescribed sections. We, therefore, recommend POMS require that\nRegional Office staff annually review the security plans and submit approvals or\nmodification requests to the DDSs.\n\nSSA implemented four recommendations in the October 2008 release of POMS, two of\nwhich were added after we brought the issues to the Agency\xe2\x80\x99s attention. Although the\nnew POMS requirements were effective in October 2008, we did not test the\ncompliance of the four recommendations implemented in that release because the\nDDSs did not have adequate time to make any necessary changes.\n\nUnimplemented Recommendations\n\nSSA considered, but did not implement, 12 of 44 recommendations. 6 Eleven of these\nrecommendations have been mitigated through compensating controls; 7 however, the\nfollowing recommendation has not been mitigated and needs to be incorporated into\nPOMS.\n\n\xef\x82\xb7     SSA should issue guidance for DDS security management to document and follow\n      formal procedures for checking vehicles prior to allowing them entrance into the\n      DDS parking garage. The door to the parking garage should remain closed until the\n      person or vehicle attempting to enter the garage is verified by the guards.\n\nWe recognize current arrangements may not permit DDSs to control parking garage\naccess; however, POMS must address this issue to ensure DDSs consider this action in\nthe future.\n\nCONCLUSION AND RECOMMENDATIONS\n\nWe found SSA implemented the majority of the recommendations made in two OIG\nreports and seven PwC Management Letters that requested modifying POMS privacy\nand security procedures for DDSs. However, to further improve the security program\nadministered by all DDSs, we recommend that SSA modify POMS to:\n\n1. Require that Regional Office staff annually review DDS security plans and submit\n   approvals or modification requests to the DDSs.\n\n\n\n\n6\n    See Appendix C for a full list of recommendations.\n7\n    See Appendix D for a list of the 11 recommendations and mitigating controls.\n\x0cPage 5 - The Commissioner\n\n\n2. Implement the prior recommendation to provide guidance for DDS security\n   management to document and follow formal procedures for checking vehicles prior\n   to allowing them entrance into the DDS parking garage. The door to the parking\n   garage should remain closed until the person or vehicle attempting to enter the\n   garage is verified by the guards.\n\nAGENCY COMMENTS\n\nSSA agreed with our recommendations. The Agency\xe2\x80\x99s comments are included in\nAppendix E.\n\n\n\n                                             S\n                                             Patrick P. O\xe2\x80\x99Carroll, Jr.\n\x0c                                     Appendices\nAPPENDIX A \xe2\x80\x93 Acronyms\n\nAPPENDIX B \xe2\x80\x93 Scope and Methodology\n\nAPPENDIX C \xe2\x80\x93 Status of Reviewed Recommendations\n\nAPPENDIX D \xe2\x80\x93 Mitigating Controls for Unimplemented Recommendations\n\nAPPENDIX E \xe2\x80\x93 Agency Comments\n\nAPPENDIX F \xe2\x80\x93 OIG Contacts and Staff Acknowledgments\n\x0c                                                         Appendix A\n\nAcronyms\nCDP     Center for Disability Programs\nC.F.R   Code of Federal Regulations\nCSI     Center for Security and Integrity Programs\nDDS     Disability Determination Services\nDSD     Disability Determination Services Security Document\nFY      Fiscal Year\nIDS     Intrusion Detection System\nOIG     Office of the Inspector General\nOMB     Office of Management and Budget\nPII     Personally Identifiable Information\nPIN     Personal Identification Number\nPOMS    Program Operations Manual System\nPwC     PricewaterhouseCoopers\nSSA     Social Security Administration\n\x0c                                                                      Appendix B\n\nScope and Methodology\nThe objective of this follow-up review was to determine whether the Social Security\nAdministration (SSA) implemented recommendations in two Office of the Inspector\nGeneral (OIG) reports and seven PricewaterhouseCoopers (PwC) Management Letters\nissued for its Fiscal Years 2001 through 2007 financial statement audits.\n\nOur scope was limited to those recommendations that requested changes to the\nProgram Operations Manual System (POMS) privacy and security procedures for the\ndisability determination services (DDS). Thirty-seven recommendations fell within this\nscope, recommending 44 changes to POMS.\n\nTo accomplish our objective, we:\n\n\xef\x82\xb7   Extracted all recommended changes to the POMS privacy and security procedures\n    the DDSs should follow. Each recommended change was treated as a single\n    recommendation.\n\xef\x82\xb7   Traced each implemented recommendation to the language that was used to\n    implement it in POMS.\n\xef\x82\xb7   Reviewed those recommendations unimplemented by the Agency to determine\n    which should be reconsidered for incorporation into POMS.\n\nTo assess the implementation of recommendations at the DDSs, we also performed a\nlimited compliance review on the 28 recommendations that were incorporated into\nPOMS before October 2008. Although new POMS requirements were released in\nOctober 2008, we did not test the compliance of the four recommendations\nimplemented in that release since the DDSs had not had adequate time to make the\nnecessary changes.\n\nTo perform our testing, we partially relied on the work done by PwC during its financial\nstatement review. During its FY 2008 audit, PwC tested 16 recommendations at\n3 DDSs. An additional two recommendations concerned triennial reviews, which were\nlast tested during PwC\xe2\x80\x99s FY 2006 audit. Most noncompliance found during testing\nrelated to DDS security plans or was minor and related to inadequate documentation of\nprocedures.\n\n\n\n\n                                          B-1\n\x0cTo provide a sufficient basis to rely on the work done by PwC staff, we:\n\n\xef\x82\xb7   Obtained and reviewed evidence concerning the staff\xe2\x80\x99s qualifications and\n    independence.\n\xef\x82\xb7   Obtained and reviewed the latest peer review report on PwC to determine whether\n    the firm had an adequate quality control process in place as of June 2006.\n\xef\x82\xb7   Reviewed the scope and quality of the work performed at the DDSs and the\n    supporting documentation for its Management Letter findings.\n\xef\x82\xb7   Reviewed the audit program steps followed for the DDS security tests.\n\nFor the remaining 10 recommendations, we conducted limited compliance tests in 5 of\nthe 10 SSA regions. In each of those five regions, we had SSA determine which DDSs\nhad excessed computers. We chose five DDS sites (Maryland, Kansas, New York,\nMassachusetts and Louisiana) for review. We used computer forensics software to\ndetermine whether excessed computer hard drives at these sites had been properly\nerased per POMS. We also determined whether these five DDSs were complying with\nthe other nine recommended changes to POMS implemented before October 2008 not\ntested by PwC. We noted one instance of noncompliance; however, because of\ncompensating controls, it did not rise to the level of an exception.\n\nWe performed our field work at SSA Headquarters between November 2007 and\nDecember 2008. The entity audited was the Office of Operations. We conducted this\nperformance audit in accordance with generally accepted government auditing\nstandards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our audit objectives. We believe the evidence obtained provides\na reasonable basis for our findings and conclusions based on our audit objectives.\n\n\n\n\n                                           B-2\n\x0c                                                                          Appendix C\n\nStatus of Reviewed Recommendations\nThe table below identifies whether the Social Security Administration (SSA)\nimplemented recommended changes to the Program Operations Manual System made\nin two Office of the Inspector General (OIG) reports and seven\nPricewaterhouseCoopers (PwC) Management Letters issued for its Fiscal Years 2001\nthrough 2007 financial statement audits. These reports recommended 44 changes to\nPOMS. Of these recommended changes, 32 were implemented and 12 were not\nimplemented.\n\nRecommendation    Source      Category                    Part                      Implemented\n\n                                         Include requirements in the DDS\n                                         Security Document to use access\n                              Physical\n      1a         PwC 2003                mechanisms that are not based on               No\n                              Security\n                                         cipher locks, the code for which is\n                                         easily disclosed.\n                                         Use access mechanisms that can log\n                              Physical\n      1b         PwC 2003                entrances and exits to provide proper\n                              Security\n                                         audit trails.\n                                         Clarify that perimeter security\n                              Physical   guidelines extend to elevators\n      2a         Washington                                                             No\n                              Security   accessing DDS operations when the\n                                         DDS is in a multi-tenant building.\n                                         Add requirements on the control and\n                              Physical\n      2b         Washington              security of elevators used to access\n                              Security\n                                         secure DDS operations.\n                                         Install locking doors with card readers\n                              Physical\n      2c         PwC 2003                outside the elevators on each of the\n                              Security\n                                         DDS floors.\n                                         Expand the building perimeter security\n                              Physical   guidance to include the security of\n      3a          Alabama                                                              Yes\n                              Security   lobby entrances into DDS operational\n                                         areas.\n                                         Clarify that perimeter security\n                              Physical   guidelines extend to DDS entrances in\n      3b         Washington\n                              Security   addition to building entrances when the\n                                         DDS is in a multi-tenant building.\n                                         Update the DDS annual self review\n                                         checklist to require DDS management\n                              Physical   to perform an annual recertification of\n       4         PwC 2006                                                           Yes (10/08)\n                              Security   personnel with physical access to the\n                                         DDS, including sensitive areas of the\n                                         DDS, such as the computer room.\n                                         Require the installation of burglar\n                              Physical   alarm system devices in computer and           No\n      5a          Alabama\n                              Security   telephone rooms if a perimeter burglar\n                                         alarm system has not been installed .\n                                                                            G.1.1\n\n\n\n\n                                          C-1\n\x0cRecommendation    Source    Category                     Part                      Implemented\n\n                                       The DDS computer room should be\n                                       secured with alarms, motion sensors\n                                       or other detection devices to identify\n                            Physical   unauthorized access during times\n      5b         PwC 2003\n                            Security   when the computer room staff is not\n                                       present. Such devices should\n                                       automatically notify a monitoring\n                                       center.\n                                       Guidance and instruction to provide a\n                                       consistent framework (types, use and\n                            Physical\n      6          Alabama               placement) for burglar alarm system             No\n                            Security\n                                       devices and smoke detectors in a\n                                       DDS.\n                            Physical   Install automatically closing computer\n      7          PwC 2003                                                          Yes (10/08)\n                            Security   room doors.\n                                       Clearly state that computer room locks\n                            Physical\n      8          Alabama               should be keyed separately from the            Yes\n                            Security\n                                       building master keys.\n                                       Guidance on the control and security\n                                       of a telephone room when the\n                            Physical\n      9          Alabama               telephone system is located in a               Yes\n                            Security\n                                       separate room from the computer\n                                       room.\n                                       Update the DDS Security Document to\n                                       include specific guidance related to the\n                                       protection of the computer rooms that\n                                       do not have true walls that extend from\n                                       floor to ceiling. This guidance should\n                                       include alternate methods to secure\n                            Physical\n      10         PwC 2002              the computer rooms other than                  Yes\n                            Security\n                                       extending the walls. A common\n                                       practice is to install chain link fences,\n                                       heavy wire mesh, or motion sensor\n                                       alarms in the space between the false\n                                       ceiling and the true ceiling of the\n                                       facility.\n                                       Guidance and security procedures for\n                            Physical\n      11         Alabama               computer rooms located on a                    Yes\n                            Security\n                                       perimeter wall with windows.\n                            Physical\n      12         PwC 2003              Completely enclose the wiring closets.         Yes\n                            Security\n                                       The door to the parking garage should\n                            Physical   remain closed until the person or               No\n     13a         PwC 2003\n                            Security   vehicle attempting to enter the garage\n                                       is verified by the guards.\n                                       DDS security management should\n                                       formally document (and ensure the\n                            Physical   guards are consistently following)\n     13b         PwC 2003\n                            Security   formal procedures for checking\n                                       vehicles prior to allowing them\n                                       entrance into the DDS parking garage.\n\n\n\n\n                                        C-2\n\x0cRecommendation    Source      Category                       Part                      Implemented\n\n                                            Update the POMS guidelines to\n                                            specifically include the authentication\n                              Physical      of visitors to a government issued\n      14         PwC 2007                                                                 Yes\n                              Security      photo ID (driver's license, passport,\n                                            state-issued ID badge) prior to entering\n                                            the DDS facility.\n                                            Complete a risk assessment to\n                              Physical      determine if metal detectors or X-ray\n      15         PwC 2004                                                                  No\n                              Security      machines would be an appropriate\n                                            solution for this weakness.\n                                            Address the physical security concerns\n                                            by screening personnel and packages\n                              Physical      at the entrances to the DDS facility.\n     16a         PwC 2003                                                              Yes (10/08)\n                              Security      The requirement to perform this\n                                            procedure should be added to the DDS\n                                            Security Document.\n                                            Develop procedures to inspect the\n                              Physical\n     16b         PwC 2004                   belongings of personnel and visitors\n                              Security\n                                            entering the facility.\n                                            Guidance on conducting a risk-based,\n                                            cost-benefit analysis to determine\n                              Physical\n      17          Alabama                   whether existing and future DDS                No\n                              Security\n                                            buildings without a sprinkler system\n                                            should have one installed.\n                                            Provide DDS management with\n                                            detailed guidance and procedures that\n                               Access       should be completed when the DDS is\n      18         PwC 2002                                                                 Yes\n                               Control      disposing of or removing sensitive\n                                            information or equipment from the\n                                            DDS.\n                                            Update the DDS Security Document to\n                                            ensure that specific guidance is given\n                                            with relation to the separation\n                                            procedures for terminated (or extended\n                                            leave) or separated employees. This\n                               Access\n      19         PwC 2002                   guidance should include all activities        Yes\n                               Control\n                                            that are required to take place during\n                                            employee exit procedures, including\n                                            the return of property and the removal\n                                            of access amounts from system and\n                                            application environments.\n                                            Add requirements to change shared\n                               Access\n      20         Washington                 entrance combinations whenever DDS            Yes\n                               Control\n                                            personnel cease employment.\n                                            Require all DDS employees to\n                                            complete an employee suitability\n                                            review process. These reviews should\n                                                                                       Yes (10/08)\n     21a         PwC 2002     Suitability   be conducted in a manner that is\n                                            consistent with the overall SSA policies\n                                            related to employee background\n                                            checks.\n\n\n\n\n                                             C-3\n\x0cRecommendation    Source      Category                      Part                     Implemented\n\n                                            Basic background checks performed\n                                            for all employees of the DDS to ensure\n                                            a reduction in the risk of hiring\n                                            personnel that have past criminal\n     21b         PwC 2002     Suitability\n                                            records. The background checks\n                                            should be performed in a consistent\n                                            manner with overall SSA background\n                                            investigation procedures.\n                                            Guidance that requires conformity with\n      22          Alabama     Suitability                                                No\n                                            SSA\xe2\x80\x99s suitability program.\n                                            Guidance to specify security training\n                                            requirements for DDS security officers\n                              Technical\n     23a          Alabama                   to obtain and maintain their skills in       No\n                               Security\n                                            administering security on an AS/400 or\n                                            other DDS system.\n                                            Establish security officer training\n                              Technical\n     23b         Washington                 requirements that comply with Federal\n                               Security\n                                            standards.\n                              Technical     Guidance to specify the duties DDS\n      24          Alabama                                                                No\n                               Security     security officers should not perform.\n                                            Guidance on access control\n                                            procedures relating to approving and\n                              Technical\n      25          Alabama                   documenting DDS system initial              Yes\n                               Security\n                                            requests, access changes and\n                                            terminations.\n                                            Guidance to restrict access and limit\n                              Technical\n      26          Alabama                   the use of communication ports in DDS       Yes\n                               Security\n                                            systems.\n                                            Guidance on access control\n                              Technical     procedures relating to using naming\n      27          Alabama                                                                No\n                               Security     standards for profiles and group and\n                                            temporary profiles.\n                                            Guidance to restrict access and limit\n                              Technical\n      28          Alabama                   the use of generic profiles including       Yes\n                               Security\n                                            vendor supplied profiles.\n                                            Guidance to restrict access and limit\n                              Technical\n      29          Alabama                   the use of security-related operating       Yes\n                               Security\n                                            system commands.\n                                            Update POMS to specify the timeframe\n                              Technical     in which security violation reports\n      30         PwC 2006                                                               Yes\n                               Security     should be reviewed by DDS\n                                            management.\n                                            Guidance on access control\n                              Technical     procedures relating to monitoring,\n      31          Alabama                                                               Yes\n                               Security     reviewing, and reporting DDS system\n                                            security violations.\n                                            Update the DDS Security Document to\n                                            ensure that specific guidance is given\n                              Security                                                  Yes\n     32a         PwC 2002                   related to the completion of annual\n                               Plan\n                                            security and sanction awareness\n                                            activities for all DDS employees.\n\n\n\n\n                                             C-4\n\x0cRecommendation    Source      Category                    Part                      Implemented\n\n                                         Provide guidance to ensure the\n                              Security   employees are reviewing and signing\n     32b         PwC 2002\n                               Plan      the awareness documentation on an\n                                         annual basis.\n                                         Identify a specific list of possible DDS\n                              Security   or field office sites for each DDS and\n      33         PwC 2002                                                              Yes\n                               Plan      coordinate agreements related to the\n                                         accommodation of additional workload.\n                              Security   Identify needs in a worst-case\n      34         PwC 2002                                                              Yes\n                               Plan      scenario.\n                                         Document policies and procedures\n                              Security   regarding actions to be taken for each\n      35         PwC 2003                                                               No\n                               Plan      of the Department of Homeland\n                                         Security threat levels.\n                                         Establish and document a clear\n                              Security\n      36         PwC 2002                definition of what work will be               Yes\n                               Plan\n                                         performed at the alternate sites.\n                              Security   Detailed back-up procedures for\n      37          Alabama                                                              Yes\n                               Plan      copies of the contingency plan.\n                                         Create a formal risk-based security\n                              Security   control review that is used at least\n      38         Washington                                                            Yes\n                               Plan      every 3 years or whenever a major\n                                         system modification occurs.\n                              Security   Detailed back-up procedures for the\n     39a          Alabama                                                              Yes\n                               Plan      storage of back-up files.\n                                         Update the DDS Security Document to\n                                         define a standard rotation schedule to\n                              Security\n     39b         PwC 2004                maintain back-up tapes at an off-site\n                               Plan\n                                         storage facility for specified amount of\n                                         time.\n                                         Ensure that the DDS security guidance\n                                         is updated to require management\n                              Security   reviews of DDS security plans. This\n     40a         PwC 2002                                                              Yes\n                               Plan      guidance should be in line with the\n                                         overall SSA policies for security plan\n                                         currency.\n                                         Ensure that evidence be maintained of\n                              Security   these reviews. This guidance should\n     40b         PwC 2002\n                               Plan      be in line with the overall SSA policies\n                                         for security plan currency.\n                                         DDS continuity of operations plan\n                              Security\n     41a          Alabama                requirements recommended by PwC in            Yes\n                               Plan\n                                         its FY 2001 Management Letter.\n                                         DDS security plan contents that\n                                         comply with OMB Circular A-130,\n                              Security\n     41b          Alabama                Appendix III requirements, as\n                               Plan\n                                         recommended by PwC in its FY 2001\n                                         Management Letter.\n\n\n\n\n                                          C-5\n\x0cRecommendation    Source      Category                     Part                       Implemented\n\n                                         Ensure that POMS 39566.120 is\n                                         updated to include all requirements of\n                              Security   OMB A-130 Appendix Ill with regard to\n     41c         PwC 2002\n                               Plan      security requirements. This will ensure\n                                         that the DDS plans are updated in a\n                                         correct format.\n                                         Require the management of each DDS\n                                         to certify at least every 3 years that the\n                              Security   security controls are sufficient to\n      42         Washington                                                              Yes\n                               Plan      warrant the continued use of each\n                                         DDS general support system and\n                                         major application.\n                                         Guidance on access control\n                              Security   procedures relating to conducting\n     43a          Alabama                                                                Yes\n                               Plan      annual reviews of all access privileges\n                                         on DDS and SSA systems.\n                                         A periodic review should be performed\n                                         for the mainframe, NT, WANG, and\n                              Security   AS400 (when fully implemented) to\n     43b         PwC 2002\n                               Plan      ensure that users have only been\n                                         granted access necessary to fulfill job\n                                         responsibilities.\n                                         Annual reviews of NT, AS 400, and\n                              Security\n     43c         PwC 2002                mainframe access required by the\n                               Plan\n                                         DDS Security Document.\n                                         Access to the mainframe compared by\n                              Security   using the actual access listings from\n     43d         PwC 2002\n                               Plan      Top Secret to compare to job\n                                         requirements.\n                                         Ensure that the DDS Security\n                                         Document is updated to include\n                                         specific guidance related to the\n                              Security\n     44a         PwC 2002                policies for completing annual                  Yes\n                               Plan\n                                         recertification of personnel with access\n                                         to the WANG, NT, and AS400\n                                         environments.\n                                         SSA policy modified to require\n                              Security   documentation of access reviews\n     44b         PwC 2002\n                               Plan      performed to match access to that\n                                         granted by the Top Secret software.\n\n\n\n\n                                          C-6\n\x0c                                                                                       Appendix D\n\nMitigating Controls for Unimplemented\nRecommendations\nThe table below identifies 11 recommendations to modify the Program Operations\nManual System (POMS) privacy and security procedures for disability determination\nservices (DDS) that were not implemented by the Social Security Administration (SSA). 1\nAlthough not implemented, we believe POMS contains mitigating controls that address\nthe concerns of these recommendations.\n\nRecommendation                         Part                     Mitigating POMS Control and Reference\n                                                             Change access codes, such as the intrusion\n                                                             detection system (IDS) code,\n                         Include requirements in the DDS\n                                                             combination/cipher lock codes, card access\n                         Security Document to use\n                                                             codes, and safe combinations when staff with\n           1a            access mechanisms that are not\n                                                             knowledge of them leave or no longer have a\n                         based on cipher locks, the code\n                                                             need to know them, or whenever compromise\n                         for which is easily disclosed.\n                                                             of the codes occurs or is suspected.\n                                                             (DI 39567.040)\n\n                                                             Screen personnel, visitors, and packages at\n                                                             the entrance to the DDS facility.\n                         Use access mechanisms that\n                                                             (DI 39567.025)\n           1b            can log entrances and exits to\n                         provide proper audit trails.\n                                                             If used by personnel, perimeter doors should\n                                                             have a combination/cipher lock or a card\n                                                             access system. (DI 39567.015)\n                         Clarify that perimeter security\n                         guidelines extend to elevators\n           2a            accessing DDS operations when\n                         the DDS is in a multi-tenant\n                         building.                           If a DDS is located in a multi-tenant building, it\n                         Add requirements on the control     should be self-contained to the extent possible.\n           2b            and security of elevators used to   (DI 39567.015)\n                         access secure DDS operations.\n                         Install locking doors with card\n           2c            readers outside the elevators on\n                         each of the DDS floors.\n\n\n\n\n1\n    See Appendix C for a full list of recommendations.\n\n\n                                                     D-1\n\x0cRecommendation                  Part                     Mitigating POMS Control and Reference\n                 Require the installation of burglar\n                 alarm system devices in\n      5a         computer and telephone rooms if\n                 a perimeter burglar alarm system\n                                                       Install an intrusion detection system (IDS) in all\n                 has not been installed.\n                                                       facilities unless determined unnecessary.\n                 The DDS computer room should\n                                                       (DI 39567.020)\n                 be secured with alarms, motion\n                 sensors or other detection\n                                                       Restrict computer room access to\n                 devices to identify unauthorized\n                                                       management or authorized personnel.\n      5b         access during times when the\n                                                       (DI 39567.020)\n                 computer room staff is not\n                 present. Such devices should\n                 automatically notify a monitoring\n                 center.\n                 Guidance and instruction to\n                                                       Install an IDS in all facilities unless determined\n                 provide a consistent framework\n                                                       unnecessary. (DI 39567.020)\n      6          (types, use and placement) for\n                 burglar alarm system devices\n                                                       Abide by local fire codes. (DI 39567.030)\n                 and smoke detectors in a DDS.\n                 Management should also\n                 complete a risk assessment to\n                                                       Screen personnel, visitors, and packages at\n                 determine if metal detectors or\n      15                                               the entrance to the DDS facility.\n                 X-ray machines would be an\n                                                       (DI 39567.025)\n                 appropriate solution for this\n                 weakness.\n                 Guidance on conducting a risk-\n                 based, cost-benefit analysis to       Abide by local fire codes (DI 39567.030)\n                 determine whether existing and\n      17\n                 future DDS buildings without a        Install an IDS in all facilities unless determined\n                 sprinkler system should have          unnecessary (DI 39567.020)\n                 one installed.\n                                                       Although Federal regulations reserve\n                                                       governance of personnel matters to the States,\n                                                       we expect that each DDS will maintain and\n                                                       administer an effective suitability program.\n                                                       DI 39567.260 C in this section establishes the\n                 Guidance that requires\n                                                       minimum requirement that DDS suitability\n      22         conformity with SSA\xe2\x80\x99s suitability\n                                                       programs include a statewide criminal\n                 program.\n                                                       background check. Beyond that minimum\n                                                       requirement, States are given broad discretion\n                                                       on the composition, implementation, and\n                                                       administration of their DDS suitability\n                                                       programs. (DI 39567.260)\n                 Guidance to specify security          The DDS Security Officer is responsible for\n                 training requirements for DDS         implementing SSA security policies and\n                 security officers to obtain and       procedures so access to SSA data is properly\n                 maintain their skills in              controlled. In carrying out this responsibility,\n      23         administering security on an          the DDS Security Officer must have the ability\n                 AS/400 or other DDS system.           and maintain the systems skills to effectively\n                 Establish security officer training   monitor current systems in areas of\n                 requirements that comply with         certification and violation procedures.\n                 Federal standards.                    (DI 39567.320)\n\n\n\n\n                                               D-2\n\x0cRecommendation                 Part                   Mitigating POMS Control and Reference\n                                                    All users requiring access to SSA/DDS\n                                                    systems must submit Form SSA-120 to their\n                                                    DDS Security Officer to obtain a 6-digit\n                                                    personal identification number (PIN).\n                                                    (DI 39567.060)\n\n                                                    The DDS Security Officer reviews the form for\n                                                    accuracy and to ensure the user is assigned\n                                                    proper systems access to perform his or her\n                                                    work assignments. Part of the DDS Security\n                                                    Officer's review is to determine whether the\n                                                    user has already been assigned a PIN. If so,\n                                                    then the Security Officer provides the\n                 Guidance to specify the duties     previously assigned PIN to the user after\n      24         DDS security officers should not   contacting the Center for Security and Integrity\n                 perform.                           (CSI)/Center for Disability Programs (CDP) to\n                                                    reactivate it.\n\n                                                    If a new PIN is required, then the Security\n                                                    Officer signs the form as the requesting official,\n                                                    and forwards the form to the CSI/CDP.\n\n                                                    CSI reviews the form. If the employee requires\n                                                    access, then CSI approves the form and\n                                                    issues a PIN, or returns copies of the form to\n                                                    the DDS Security Officer with a previously\n                                                    assigned PIN. CSI or CDP retains the original\n                                                    and informs the DDS Security Officer of the\n                                                    new PIN. (DI 39567.060)\n                                                    All user profiles, including any generic profiles\n                                                    and profiles for non-DDS employees, should\n                                                    be supported by a DDS access procedure.\n                                                    This procedure should support the access\n                                                    privileges on the iSeries or other case\n                 Guidance on access control\n                                                    processing system as well as what menu is\n                 procedures relating to using\n                                                    provided for all DDS users in the State claims\n      27         naming standards for profiles\n                                                    processing system. (DI 39567.080)\n                 and group and temporary\n                 profiles.\n                                                    Users who do not require a high level of\n                                                    access should have their status updated and\n                                                    special access removed. This review should\n                                                    be conducted on a periodic basis and must be\n                                                    performed at least annually. (DI 39567.105)\n                                                    Each DDS must create and maintain a\n                                                    Continuity of Operations Plan as part of its\n                 Document policies and\n                                                    DDS Security Plan. The local DDS information\n                 procedures regarding actions to\n                                                    provided in the plan is supplementary to the\n      35         be taken for each of the\n                                                    Regional Office plan and is used to assist the\n                 Department of Homeland\n                                                    Regional Office if continuity of operations\n                 Security threat levels.\n                                                    efforts for the DDS should become necessary.\n                                                    (DI 39567.190)\n\n\n\n\n                                             D-3\n\x0c                  Appendix E\n\nAgency Comments\n\x0c                                          SOCIAL SECURITY\nMEMORANDUM\n\n\nDate:      May 08, 2009                                                            Refer To: S1J-3\n\nTo:         Patrick P. O'Carroll, Jr.\n            Inspector General\n\nFrom:       James A. Winn        /s/\n            Chief of Staff\n\nSubject:    Office of the Inspector General (OIG) Draft Report, \xe2\x80\x9cFollow-up: The Social Security\n            Administration\xe2\x80\x99s Implementation of Program Operations Manual System Requirements for\n            Disability Determination Services\xe2\x80\x9d (A-14-08-18076)\xe2\x80\x94INFORMATION\n\n\n           Thank you for the opportunity to review and comment on the draft report. We appreciate the\n           comprehensive work that the OIG auditing team did on this report. Our response to the report\n           findings and recommendations is attached.\n\n           Please let me know if we can be of further assistance. Please direct staff inquiries to\n           Candace Skurnik, Director, Audit Management and Liaison Staff, at (410) 965-4636.\n\n\n           Attachment\n\n\n\n\n                                                          E-1\n\x0cCOMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL DRAFT REPORT,\n\xe2\x80\x9cFOLLOW-UP: THE SOCIAL SECURITY ADMINISTRATION\xe2\x80\x99S IMPLEMENTATION\nOF PROGRAM OPERATIONS MANUAL SYSTEM SECURITY REQUIREMENTS FOR\nDISABILITY DETERMINATIONS SERVICES\xe2\x80\x9d (A-14-08-18076)\n\nRecommendation 1\n\nRequire that regional office staff annually review disability determination services (DDS)\nsecurity plans and submit approvals or modification requests to the DDSs.\n\nComment\n\nWe agree. We will consider updating Program Operations Manual System (POMS)\nDI 39567.160 to include a requirement that regional office staff review DDS security plans\nannually and provide approval or recommended modifications to each DDS.\n\nRecommendation 2\n\nImplement the prior recommendation to provide guidance for DDS security management to\ndocument and follow formal procedures for checking vehicles prior to allowing them entrance\ninto the DDS parking garage. The door to the parking garage should remain closed until the\nguards have verified vehicle and/or person attempting to enter the garage.\n\nComment\n\nWe agree. We will update POMS DI 39567.015 with language recommending that DDSs with\ngarage parking establish and follow formal procedures for checking vehicles prior to garage\nentry.\n\n\n\n\n                                              E-2\n\x0c                                                                     Appendix F\n\nOIG Contacts and Staff Acknowledgments\nOIG Contacts\n\n   Phil Rogofsky, Acting Director, Information Technology Audit Division\n\n   Mary Ellen Moyer, Acting Audit Manager\n\nAcknowledgments\n\nIn addition to those named above:\n\n   Alan Lang, Senior Auditor\n\n   Michael Zimmerman, Auditor\n\nFor additional copies of this report, please visit our web site at\nwww.socialsecurity.gov/oig or contact the Office of the Inspector General\xe2\x80\x99s Public\nAffairs Staff Assistant at (410) 965-4518. Refer to Common Identification Number\nA-14-08-18076.\n\x0c                                 DISTRIBUTION SCHEDULE\n\n\nCommissioner of Social Security\nOffice of Management and Budget, Income Maintenance Branch\nChairman and Ranking Member, Committee on Ways and Means\nChief of Staff, Committee on Ways and Means\nChairman and Ranking Minority Member, Subcommittee on Social Security\nMajority and Minority Staff Director, Subcommittee on Social Security\nChairman and Ranking Minority Member, Committee on the Budget, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Oversight and Government Reform\nChairman and Ranking Minority Member, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority, Subcommittee on Labor, Health and Human Services,\nEducation and Related Agencies, Committee on Appropriations,\n House of Representatives\nChairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Subcommittee on Labor, Health and Human\nServices, Education and Related Agencies, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Committee on Finance\nChairman and Ranking Minority Member, Subcommittee on Social Security Pensions and\nFamily Policy\nChairman and Ranking Minority Member, Senate Special Committee on Aging\nSocial Security Advisory Board\n\x0c                         Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of an Office of Audit (OA), Office of Investigations\n(OI), Office of the Counsel to the Inspector General (OCIG), Office of External Relations (OER), and Office of\nTechnology and Resource Management (OTRM). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, the OIG also has a comprehensive Professional Responsibility and Quality\nAssurance program.\n                                                  Office of Audit\nOA conducts financial and performance audits of the Social Security Administration\xe2\x80\x99s (SSA) programs and\noperations and makes recommendations to ensure program objectives are achieved effectively and efficiently.\nFinancial audits assess whether SSA\xe2\x80\x99s financial statements fairly present SSA\xe2\x80\x99s financial position, results of\noperations, and cash flow. Performance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s\nprograms and operations. OA also conducts short-term management reviews and program evaluations on issues\nof concern to SSA, Congress, and the general public.\n                                              Office of Investigations\nOI conducts investigations related to fraud, waste, abuse, and mismanagement in SSA programs and operations.\nThis includes wrongdoing by applicants, beneficiaries, contractors, third parties, or SSA employees performing\ntheir official duties. This office serves as liaison to the Department of Justice on all matters relating to the\ninvestigation of SSA programs and personnel. OI also conducts joint investigations with other Federal, State,\nand local law enforcement agencies.\n                            Office of the Counsel to the Inspector General\nOCIG provides independent legal advice and counsel to the IG on various matters, including statutes,\nregulations, legislation, and policy directives. OCIG also advises the IG on investigative procedures and\ntechniques, as well as on legal implications and conclusions to be drawn from audit and investigative material.\nAlso, OCCIG administers the Civil Monetary Penalty program.\n                                        Office of External Relations\nOER manages OIG\xe2\x80\x99s external and public affairs programs, and serves as the principal advisor on news releases\nand in providing information to the various news reporting services. OER develops OIG\xe2\x80\x99s media and public\ninformation policies, directs OIG\xe2\x80\x99s external and public affairs programs, and serves as the primary contact for\nthose seeking information about OIG. OER prepares OIG publications, speeches, and presentations to internal\nand external organizations, and responds to Congressional correspondence.\n                           Office of Technology and Resource Management\nOTRM supports OIG by providing information management and systems security. OTRM also coordinates\nOIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human resources. In addition, OTRM is the\nfocal point for OIG\xe2\x80\x99s strategic planning function, and the development and monitoring of performance\nmeasures. In addition, OTRM receives and assigns for action allegations of criminal and administrative\nviolations of Social Security laws, identifies fugitives receiving benefit payments from SSA, and provides\ntechnological assistance to investigations.\n\x0c"